Bug 1218446 (CVE-2023-7158)

Summary: VUL-0: CVE-2023-7158: micropython: heap-based buffer overflow in function slice_indices of the file objslice.c.
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: OtherAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/389587/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-12-29 09:10:25 UTC 
A vulnerability was found in MicroPython up to 1.21.0. It has been classified as critical. Affected is the function slice_indices of the file objslice.c. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.22.0 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-249180.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-7158
https://github.com/micropython/micropython/issues/13007

Patch:
https://github.com/micropython/micropython/pull/13039/commits/f397a3ec318f3ad05aa287764ae7cef32202380f
Comment 2 OBSbugzilla Bot 2024-01-08 03:35:00 UTC 
This is an autogenerated message for OBS integration:
This bug (1218446) was mentioned in
https://build.opensuse.org/request/show/1137463 Factory / micropython